hermes-brain/ideas/compliance-framework-mapping.org

:PROPERTIES:
:ID:       e4a7b3d2-1c9f-4b6e-8a2d-5f3c7e1b9a0c
:CREATED:  [2026-05-23 Sat]
:END:
#+title: Compliance Framework Mapping — Global Regulated Industries (Triad-Wide)
#+filetags: :passepartout:triad:compliance:global:oecd:regulation:mapping:

The verification monopoly and domain gate package revenue streams depend on
selling into regulated industries. These industries buy compliance, not software.
The four frameworks below are the most commonly referenced across the triad
knowledge base. This file defines each one, the economic pressure it creates,
and where it maps to the revenue model.

* HIPAA (Health Insurance Portability and Accountability Act)

** What it is

US federal law enacted 1996. Governs how protected health information (PHI)
is stored, transmitted, and accessed. Two relevant rules:

- **Privacy Rule:** controls use and disclosure of PHI. Patients have rights
  to access, amend, and request accounting of disclosures. Minimum necessary
  standard — only the minimum PHI needed for the task may be used.
- **Security Rule:** administrative, physical, and technical safeguards for
  electronic PHI (ePHI). Requires access controls, audit controls, integrity
  controls, person/entity authentication, and transmission security.

** Who must comply

Covered entities (health plans, healthcare clearinghouses, healthcare providers
who transmit any ePHI) and business associates (any vendor handling PHI on behalf
of a covered entity). Business Associate Agreements (BAAs) are mandatory.

** Penalties

Tiered civil penalties: $100-$50,000 per violation, up to $1.5M per year per
violation category. Criminal penalties for knowing misuse (up to 10 years
imprisonment). State AGs can also bring civil actions.

** Why it matters for the triad

HIPAA is the largest single compliance market in US healthcare — every hospital,
clinic, insurer, and health-tech vendor must comply. The [[file:domain-gate-packages.org][HIPAA gate package]]
($50K/yr) encodes the Privacy Rule and Security Rule as ACL2-verifiable gate
constraints. Every PHI access attempt passes through the gate stack, producing
a machine-checkable audit trail that satisfies the Security Rule's audit control
requirement automatically. No separate logging infrastructure needed. Over a
five-year deployment, the accumulated fact store and proof history create
[[file:infrastructure-lock-in.org][infrastructure lock-in]] — switching to a competitor means discarding all of it.

* SOC 2 (System and Organization Controls 2)

** What it is

An auditing standard developed by AICPA (American Institute of CPAs). Not a law.
Certifies that a service organization's controls over security, availability,
processing integrity, confidentiality, and privacy meet defined criteria.

Five Trust Service Criteria (TSC):
- **Security** (mandatory): protection against unauthorized access (firewall,
  access control, intrusion detection)
- **Availability** (optional): system available for operation and use as
  committed (uptime, redundancy, disaster recovery)
- **Processing Integrity** (optional): system processing is complete, valid,
  accurate, timely, and authorized
- **Confidentiality** (optional): information designated as confidential is
  protected as committed
- **Privacy** (optional): personal information is collected, used, retained,
  disclosed, and disposed of in conformity with commitments

Two types:
- **Type I:** controls are suitably designed at a specific point in time
- **Type II:** controls operated effectively over a period (6-12 months)

** Who must comply

Any SaaS or cloud service provider whose enterprise customers require audited
vendors. Table stakes for B2B — most enterprise procurement contracts require
SOC 2 Type II.

** Penalties

No direct fines (not a law). But losing SOC 2 certification means losing
enterprise customers. Misrepresentation of certification status is fraud.

** Why it matters for the triad

SOC 2 is the entry-level certification for the [[file:compute-marketplace.org][compute marketplace]]. A provider
needs SOC 2 Type II to sell compute to enterprises whose procurement policy
requires audited vendors. The gate stack itself maps directly to the Security
criterion (access controls, audit trails) — the Passepartout instance's
deterministic gate log serves as the evidence artifact for the audit. No
separate logging SIEM needed. This is the prerequisite to the larger
[[file:verification-monopoly.org][verification monopoly]] play — once enterprises trust the audit trail, they
buy domain-specific gate packages for the same infrastructure.

* GDPR (General Data Protection Regulation)

** What it is

EU regulation (effective May 2018) governing the processing of personal data of
natural persons in the EU. Extraterritorial — applies to any organization
processing EU personal data regardless of where the organization is based.

Key requirements:
- Lawful basis for processing (consent, contract, legal obligation, vital
  interests, public task, legitimate interests)
- Data minimization — collect only what is necessary
- Purpose limitation — do not reuse data for incompatible purposes
- Storage limitation — delete when no longer needed
- Right of access, rectification, erasure (right to be forgotten),
  data portability, restriction, objection
- Data Protection Impact Assessment (DPIA) for high-risk processing
- Breach notification within 72 hours to supervisory authority
- Data Protection Officer (DPO) appointment for certain controllers/processors
- Data Processing Agreements (DPAs) between controllers and processors

** Who must comply

Any organization that processes personal data of EU residents. Includes
controllers (determine purposes and means) and processors (process on behalf
of controller). Non-EU organizations with EU data subjects are in scope.

** Penalties

Up to 20M EUR or 4% of annual global turnover, whichever is higher. Tiered
system. Supervisory authorities in each member state enforce. Private right
of action for damages.

** Why it matters for the triad

GDPR is the most extraterritorial and aggressively enforced privacy framework.
The gate stack's principle of least privilege maps naturally to GDPR's data
minimization requirement. Every data access is gated by a verified rule that
states the purpose — the proof log is a built-in DPIA artifact. For the
[[file:compute-marketplace.org][compute marketplace]]: a provider processing proofs on EU users' gate data must
maintain DPAs with all clients. Proof logs themselves may constitute personal
data if they reference natural persons (names in access rules, etc.), creating
a demand for privacy-preserving proof techniques. This is why the
[[file:domain-gate-packages.org][GDPR gate package]] includes data-processing agreement templates and
purpose-boundary gate rules that are independently verified by the provider's
[[file:evaluation-harness.org][evaluation harness]].

* FedRAMP (Federal Risk and Authorization Management Program)

** What it is

US federal government's standardized approach to security assessment,
authorization, and continuous monitoring for cloud services. OMB policy
mandate — federal agencies must use FedRAMP-authorized services when available.

Three impact levels based on data sensitivity:

| Level   | Data type | Examples                        | Cost to achieve | Timeline |
|---------|-----------|---------------------------------|-----------------|----------|
| Low     | Public or low-sensitivity | Public websites, unclassified comms | $500K-$1M | 6-12 months |
| Moderate | Controlled Unclassified Info (CUI) | Tax records, health data, law enforcement | $1M-$3M | 12-24 months |
| High    | National security, classified | Defense, intelligence, critical infra | $3M-$5M | 18-36 months |

Two authorization paths:
- **JAB (Joint Authorization Board):** provisional authorization by DHS, GSA,
  DOD. Hardest path, most reusable across agencies.
- **Agency:** authorization by a single federal agency for its own use. Faster
  but less portable.

Requires continuous monitoring (monthly scans, annual assessments, POA&M
for findings).

** Who must comply

Any cloud service provider that sells to US federal agencies. Including
IaaS, PaaS, SaaS. FedRAMP Marketplace lists authorized providers — agencies
are strongly discouraged from using non-authorized services.

** Penalties

No direct fines. Non-authorized providers are simply ineligible for federal
contracts. FedRAMP is a procurement gate, not a regulatory one.

** Why it matters for the triad

FedRAMP is the highest bar and the most expensive certification to obtain.
Few cloud providers achieve it (fewer than 300 authorized products as of 2025).
But those that do capture the US government market with minimal competition.
For the triad: a [[file:compute-marketplace.org][compute marketplace]] provider with FedRAMP Moderate or High
authorization can sell to every federal agency. The gate stack's deterministic
audit trail maps directly to FedRAMP's continuous monitoring requirement —
producing verifiable evidence of control effectiveness on every access, not
just during the annual assessment. This is what justifies the
[[file:domain-gate-packages.org][FedRAMP gate package]] at $100K/yr (the highest price) — it is not a software
package, it is the evidence pipeline for a certification that costs $1M-$5M
and 12-36 months to obtain independently. The [[file:verification-monopoly.org][verification monopoly]] argument
applies hardest here: an agency that has relied on a FedRAMP-authorized compute
provider for five years cannot switch without re-running the entire authorization
process with a new provider.

* US — Financial and Corporate Frameworks

** SOX (Sarbanes-Oxley Act)

US federal law (2002). Mandates internal controls over financial reporting
(ICFR) for publicly traded companies. Section 404 requires management to assess
and auditors to attest to the effectiveness of internal controls.

Who must comply: All US public companies; foreign issuers trading on US exchanges.
~6,000 public companies + foreign filers.

Penalties: Up to $5M fines and 20 years imprisonment for certifying false
financial statements. CEO and CFO personally liable.

Why it matters: Every financial control is a gate rule — who can approve a
journal entry, who can release a payment, who can modify a vendor record. The
gate stack encodes these as ACL2-verified rules and produces the audit trail
that the external auditor needs for Section 404 attestation. First-mover
advantage: SOX is mature (24 years old) but the audit market is $4B+ and
entirely manual — no competitor has automated the evidence pipeline.

** GLBA (Gramm-Leach-Bliley Act)

US federal law governing financial institutions' handling of nonpublic personal
information (NPI). Requires privacy notices, opt-out rights, and a Safeguards
Rule requiring an information security program.

Who must comply: Banks, credit unions, insurance companies, securities firms,
financial advisers. ~20,000 institutions.

Penalties: FTC-enforced. Civil penalties up to $100K per violation; officers
and directors personally liable.

Why it matters: The Safeguards Rule maps directly to gate stack access controls.
Every NPI access is gated; the proof log is the security program's evidence.
First-mover advantage is narrow (GLBA is well-understood) but the market is
large because every financial institution that dodges HIPAA still faces GLBA.

** NY DFS 500 (23 NYCRR 500)

New York State Department of Financial Services cybersecurity regulation for
financial services. The most aggressive US state-level financial cybersecurity
rule. Requires: risk assessment, penetration testing, multi-factor authentication,
incident response plan, annual certification of compliance by the board.

Who must comply: Any entity regulated by NY DFS — banks, insurers, mortgage
brokers, virtual currency companies operating in New York. ~3,000 institutions.

Penalties: $200K-$1M per violation; business license revocation possible.

Why it matters: The annual board certification requirement creates demand for
verifiable evidence of control effectiveness — exactly what the gate stack
produces. First-mover advantage is significant (few vendors target NY DFS 500
specifically) and the regulation is a template that other states are adopting.

* US — State Privacy Frameworks

** CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act)

California's comprehensive privacy law — the closest US analogue to GDPR.
CPRA (effective 2023) amended and strengthened CCPA. Key rights: right to
know, delete, opt out of sale/sharing, correct inaccurate data, limit use
of sensitive PI. Private right of action for data breaches.

Who must comply: For-profit businesses with >$25M revenue, or handling >100K
consumer records, or deriving >50% revenue from selling PI. Extraterritorial —
applies to any business collecting CA resident data.

Penalties: $2,500 per violation (intentional: $7,500). Private right of action
for breaches: $100-$750 per incident per consumer. CPRA created the California
Privacy Protection Agency (CPPA) for enforcement.

Why it matters: The opt-out/sale/sharing requirements create complex data flow
gate rules. The gate stack can encode "this data flow crosses a CCPA boundary"
and automatically enforce the opt-out at every data access. First-mover
advantage is moderate (many CCPA tools exist) but none provide a deterministic,
verifiable audit trail — they are all document-based.

** Canadian provincial privacy (Quebec Law 25, Ontario PHIPA)

Quebec Law 25 (2023-2024 phased) is Canada's most aggressive privacy
regulation — closer to GDPR than PIPEDA. Requires: privacy officer appointment,
privacy impact assessments, consent modernization, data portability, right to
de-index, algorithm transparency (automated decision-making disclosures).
Penalties up to $25M CAD or 4% of global revenue.

Why it matters: The algorithm transparency requirement is unique — organizations
must disclose how automated decision systems work. The gate stack's ACL2 proof
log is a natural algorithm transparency artifact. First-mover advantage: this
is a new requirement with no established vendor tooling.

* UK and EU — Additional Frameworks

** UK GDPR / Data Protection Act 2018

Post-Brexit, the UK maintains its own version of GDPR via the Data Protection
Act 2018. Substantively identical to EU GDPR but diverging over time. The UK
has announced separate reforms targeting AI and digital identity. ICO (Information
Commissioner's Office) enforces. Maximum fines: 17.5M GBP or 4% of global turnover.

Why it matters: UK GDPR is EU GDPR's twin market — any gate package designed
for EU GDPR ports directly with verified translation of terminology (supervisory
authority → ICO, DPA → equivalent UK contract clauses). The gate stack's ACL2
prover can verify that the UK version's rules are consistent with the EU version
(and alert when they diverge). This is a concrete ACL2 application.

** NIS2 (Network and Information Security Directive)

EU directive (effective October 2024, member states transpose by October 2025).
Replaces NIS (2016). Expands scope from 7 sectors to 15, covering: energy,
transport, banking, financial market infrastructure, health, drinking water,
wastewater, digital infrastructure, ICT service management, public administration,
space, postal services, food, chemicals, manufacturing (critical products).

Key requirements: risk management measures (supply chain security, incident
handling, business continuity), incident notification (24-hour early warning,
72-hour full report), C-level accountability (management can be held personally
liable for non-compliance), supply chain security for critical vendors.

Who must comply: ~160,000 entities across EU (up from ~30,000 under NIS).
Two tiers: essential (strict) and important (moderate). Extraterritorial — any
organization providing services to EU entities in covered sectors.

Penalties: Up to 10M EUR or 2% of global turnover (essential entities). Personal
liability for management.

Why it matters: NIS2 is the largest European cybersecurity mandate ever.
Every requirement maps to a gate rule: supply chain access verification,
incident notification triggers, business continuity approval chains. First-mover
advantage is urgent — the transposition deadline is October 2025 (17 months).
Organizations need gate packages now. No competitor has a declarative gate
model that maps to NIS2 requirements. $50K/yr NIS2 gate package is a fast sell.

** EU AI Act

First comprehensive AI regulation globally (effective August 2026). Risk-based
tiers: unacceptable (banned), high-risk (conformity assessment), limited
(transparency), minimal (code of conduct). High-risk systems require: risk
management, data governance, technical documentation, transparency, human
oversight, accuracy/robustness/cybersecurity. Third-party conformity assessment
for some high-risk systems (notified bodies).

Who must comply: Providers and deployers of AI systems in the EU. Extraterritorial
if the AI system output is used in the EU. Scope covers GPAI (general-purpose AI)
with additional obligations for systemic-risk GPAI.

Penalties: Up to 35M EUR or 7% of global turnover (higher than GDPR).

Why it matters: The EU AI Act's conformity assessment requirement creates an
instant certification market. Passepartout's gate stack can serve as the
human oversight and accuracy/robustness infrastructure for any AI system
deployed through it. The [[file:verification-monopoly.org][verification monopoly]] argument applies at maximum
force: an ACL2-verified gate stack is the most defensible approach to AI Act
compliance. First-mover advantage: the regulation takes effect August 2026.
No certification body or tool vendor has an ACL2-based compliance pipeline.
First to market captures the standard-setting role.

** DORA (Digital Operational Resilience Act)

EU regulation (effective January 2025) for the financial sector. Requires:
ICT risk management, incident reporting, digital operational resilience testing,
ICT third-party risk management (including contractual access and audit rights
for critical ICT providers), information sharing, threat-led penetration testing
(TLPT) for systemic institutions.

Who must comply: 22,000+ financial entities in the EU (banks, investment firms,
payment processors, crypto-asset providers, insurance companies). Also ICT
third-party providers deemed critical.

Penalties: Up to 2% of average daily turnover × number of days breached, or
10M EUR for legal entities. Personal liability for management.

Why it matters: DORA's third-party risk management requirement is a natural gate
stack use case — every ICT provider access must be gated, logged, and auditable.
TLPT (threat-led penetration testing) maps to the evaluation harness. First-mover
advantage is extremely time-sensitive: DORA is already in effect (January 2025).
Financial institutions are scrambling for compliance tooling. A DORA gate package
at $50K/yr with zero incremental cost per additional user is an immediate sale.

** eIDAS 2.0 (Electronic Identification, Authentication and Trust Services)

EU regulation (amended 2024). Creates the EU Digital Identity Wallet — mandatory
for member states to offer, optional for citizens. Requires: qualified electronic
signatures/seals/timestamps, qualified trust service providers (QTSPs), and the
EU Digital Identity Wallet for identity verification across borders.

Who must comply: Trust service providers, government digital identity systems,
any organization accepting eIDAS-qualified identities. 27 member states must
provide wallets by 2026.

Penalties: Member state enforcement; penalties vary but non-compliance blocks
access to the EU digital identity market.

Why it matters: eIDAS 2.0 creates a verified digital identity layer across the
EU. The gate stack can integrate with eIDAS wallets as the identity provider
for gate rules — "only X, authenticated via eIDAS wallet, may approve this
transaction." First-mover advantage: wallets are being built now; the provider
that integrates with the wallet standard first locks in the identity gate
integration.

** CRA (Cyber Resilience Act)

EU regulation (effective 2025-2027 phased). Mandates cybersecurity requirements
for products with digital elements (hardware and software). Requires: secure-bydesign, vulnerability handling, security updates for minimum 5 years, SBOM
(software bill of materials) disclosure, CE marking for cybersecurity.

Who must comply: Manufacturers, importers, and distributors of connected products
sold in the EU. Categories: default (self-declaration), Class I (third-party
audit), Class II (notified body assessment).

Penalties: Up to 15M EUR or 2.5% of global turnover for non-compliance with
reporting obligations.

Why it matters: CRA's CE marking requirement creates a certification pipeline
that the verification appliance can supply. If Passepartout's gate stack is
itself CRA-compliant (verified by the evaluation harness), it becomes the
compliance infrastructure for any product built on it. First-mover advantage:
Class II products require notified body assessment — the bottleneck is notified
body capacity. The gate stack's automated evidence pipeline bypasses the
bottleneck.

* Japan

** APPI (Act on Protection of Personal Information)

Japan's comprehensive privacy law (amended 2022, fully effective 2023).
Applies to any business handling personal information of Japanese residents.
Key requirements: consent, purpose specification, data retention limits,
cross-border transfer restrictions (opt-in required), mandatory breach reporting,
data subject access/deletion rights, pseudonymized/anonymized data provisions.
Personal Information Protection Commission (PPC) enforces.

Penalties: Up to 100M JPY (~$700K) for violations; criminal penalties up to
1 year imprisonment. Orders to suspend data processing or delete data.

Who must comply: All businesses handling personal information of Japanese
residents. Extraterritorial — applies to non-Japanese businesses targeting
Japanese residents.

Why it matters: APPI's cross-border transfer restrictions require fine-grained
control over which data leaves Japan. The gate stack can encode "this data has
APPI cross-border consent flag = false → block egress." First-mover advantage
is moderate — few non-Japanese vendors target APPI specifically, and the 2022
amendments added requirements that created compliance gaps.

** ISMAP (Government Information System Security Management and Assessment Program)

Japan's government cloud security program — analogous to FedRAMP. Cloud services
used by Japanese government agencies must be ISMAP-authorized. Managed by the
Digital Agency and the Information-technology Promotion Agency (IPA).

Who must comply: Cloud service providers selling to Japanese national and local
government agencies.

Why it matters: Like FedRAMP, ISMAP is a procurement gate. Authorization is
time-consuming and expensive. A compute marketplace provider with ISMAP
authorization has exclusive access to the Japanese government market. First-mover
advantage is significant — as of 2025, fewer than 100 services are ISMAP-registered.

* South Korea

** PIPA (Personal Information Protection Act)

South Korea's comprehensive privacy law (enacted 2011, major amendments 2023
and 2024). One of the strictest privacy regimes globally. Key requirements:
consent, data minimization, purpose limitation, mandatory privacy impact
assessment, data protection officer, breach notification within 72 hours,
cross-border transfer restrictions, right to request data transmission
(portability). The Personal Information Protection Commission (PIPC) enforces
aggressively.

Penalties: Up to 3% of revenue (raised from 0.5% in 2024 amendments). Criminal
penalties up to 5 years imprisonment. PIPC has levied fines of 100B+ KRW (~$75M)
against major tech companies. Class action lawsuits permitted.

Who must comply: Any organization handling personal information of South Korean
residents. Extraterritorial scope is broad and actively enforced.

Why it matters: PIPA is structurally similar to GDPR but with stricter
enforcement and higher penalties relative to market size. The gate stack's
purpose-boundary gates map directly to PIPA's purpose limitation requirement.
First-mover advantage is large — PIPA has fewer compliance automation vendors
than GDPR, and the 2024 amendments (stricter consent, higher fines) are still
settling.

* Australia

** Privacy Act 1988 / Notifiable Data Breaches (NDB) scheme

Australia's federal privacy law (amended 2023-2025). Comprehensive reform in
progress — the Privacy Act Review (2023) proposes significant expansion:
tiered penalties up to $50M AUD (or 30% of turnover, or 3x benefit obtained),
direct right of action for individuals, new tort of serious invasion of privacy,
children's privacy code, automated decision-making transparency.

Who must comply: Most Australian businesses with >$3M AUD turnover; all
health service providers; all businesses handling tax file numbers. Extraterritorial
— applies to any organization with an Australian link.

Penalties: Current maximum $50M AUD (from amendments effective late 2024).
OAIC (Office of the Australian Information Commissioner) enforces. New direct
right of action will increase private litigation.

Why it matters: The Privacy Act Review's proposed automated decision-making
transparency requirements are unique — organizations must disclose the logic
and expected outcomes of AI decisions. The gate stack's ACL2 proof log is the
most defensible transparency artifact available. First-mover advantage: the
reforms are being legislated now; early adoption positions the gate stack as
the reference implementation.

** APRA CPS 234 (Prudential Standard — Information Security)

Australian Prudential Regulation Authority standard for regulated financial
institutions. Requires: clearly defined information security roles and
responsibilities, periodic cybersecurity capability assessments, robust control
testing, timely remediation of control weaknesses, mandatory notification of
material incidents to APRA within 72 hours.

Who must comply: Banks, insurers, superannuation funds regulated by APRA.
~500 entities.

Penalties: APRA can impose capital requirements, license conditions, or
license cancellation for non-compliance. Personal liability for board and
senior management.

Why it matters: CPS 234's control testing requirement creates demand for
continuous verification — exactly what the gate stack and evaluation harness
provide. First-mover advantage: CPS 234 is mature (2019) but enforcement is
escalating. No vendor provides a deterministic control-testing pipeline.

** IRAP (Infosec Registered Assessors Program)

Australian government's cloud security assessment program — analogous to
FedRAMP. Cloud services used by Australian government agencies must have an
IRAP assessment. Managed by the Australian Cyber Security Centre (ACSC).
Assessment levels: Protected (highest), Secret (top secret), Unclassified DLM.

Who must comply: Cloud providers selling to Australian federal, state, and
local government agencies. Also critical infrastructure providers.

Why it matters: Like FedRAMP and ISMAP, IRAP is a procurement gate. An IRAP
Protected-level assessment is expensive and takes 6-12 months. First-mover
advantage: the gate stack's deterministic audit trail can be the primary
evidence artifact, reducing assessment scope/cost.

* India

** DPDP Act 2023 (Digital Personal Data Protection Act)

India's first comprehensive federal privacy law (enacted August 2023, rules
drafting in progress, enforcement expected 2026-2027). Key features: consent
for personal data processing, data processor obligations, data principal rights
(right to access, correction, erasure, grievance redressal), Data Protection
Board of India (DPBI) enforcement, significant penalties, exempted government
processing for sovereignty/national security.

Penalties: Up to 250 Cr INR (~$30M) per breach. Data fiduciary bears primary
responsibility regardless of processor fault.

Who must comply: Any organization processing personal data of Indian residents,
where the data is collected in India or used to profile Indian residents.
Offshore data processors are in scope.

Why it matters: DPDP is a greenfield privacy regime — India had no comprehensive
privacy law before 2023. The rules (implementation details) are being drafted
now. This is the widest first-mover window in the global privacy landscape:
organizations need compliance tooling that doesn't exist yet. The gate stack's
consent-managed data access model maps directly to DPDP's consent framework.
A DPDP gate package at $30K/yr (discounted for India market) captures a market
of hundreds of thousands of businesses with no incumbent vendor.

* Brazil

** LGPD (Lei Geral de Proteção de Dados — Law 13,709/2018)

Brazil's comprehensive privacy law (effective 2020, fines effective 2023).
Modeled on GDPR but with differences: LGPD defines "data processing agents"
(controller and operator), requires appointment of DPO (data protection officer),
mandates breach notification to ANPD (National Data Protection Authority) and
affected data subjects. 10 legal bases for processing (vs 6 in GDPR).

Penalties: Up to 2% of revenue in Brazil per violation, capped at 50M BRL
(~$10M) per violation. ANPD can also order suspension of processing, partial
or total prohibition of database operation.

Who must comply: Any organization (public or private) processing personal data
of Brazilian residents, regardless of where the organization is based. No
revenue threshold.

Why it matters: LGPD affects every business operating in Latin America's largest
economy. The 2% revenue penalty structure creates strong economic incentive.
First-mover advantage: fewer compliance automation vendors in the Portuguese
market. A Portuguese-language gate package with LGPD-specific consent and data
subject rights gates captures a market of 210M people.

* Mexico

** LFPDPPP (Federal Law on Protection of Personal Data Held by Private Parties)

Mexico's federal privacy law (effective 2010, reformed 2024). Key requirements:
consent, notice (privacy notice must specify the "responsible party"), purpose
limitation, data subject rights (ARCO — access, rectification, cancellation,
opposition + deletion, portability), cross-border data transfer limitations,
security breach notification. INAI (National Institute for Transparency,
Access to Information and Personal Data Protection) enforces.

Penalties: Up to 1.9M days of minimum wage (~$5M USD); INAI can also
suspend data processing.

Why it matters: USMCA (US-Mexico-Canada Agreement) trade obligations are
pushing toward privacy regime interoperability. A bilingual (Spanish/English)
gate package covering both LFPDPPP and US frameworks serves the massive
US-Mexico cross-border commerce market. First-mover advantage: LFPDPPP is
less automated than GDPR; the market has fewer vendors and lower expectations.

* International Frameworks

** ISO 27001 (Information Security Management)

International standard for information security management systems (ISMS).
The most widely adopted security certification globally — ~60,000 certified
organizations. Requires: risk assessment, security controls (Annex A, 93
controls across 4 domains), continuous improvement (Plan-Do-Check-Act),
management review, internal audit.

Who must comply: Self-selected — enterprises pursue ISO 27001 certification
because supply chain partners and regulators require it. Increasingly mandatory
for: cloud providers, government contractors, critical infrastructure, and
regulated financial institutions in multiple jurisdictions.

Penalties: No direct fines. Losing certification means losing business.

Why it matters: ISO 27001 is the universal baseline. It is the entry-level
certification that opens every other regulated market. The gate stack maps
to Annex A controls directly (A.9 access control, A.12 operations security,
A.16 incident management, A.18 compliance). First-mover advantage: the ISO
27001 audit market is mature ($68B) and entirely manual (auditors flip through
binders). A gate stack that produces audit evidence automatically is not
competing with other software — it is competing with binders.

** ISO 27701 (Privacy Information Management — PIMS extension to ISO 27001)

International standard extending ISO 27001 for privacy information management.
Aligns with GDPR requirements. Provides a framework for PII (personally
identifiable information) controllers and processors.

Why it matters: ISO 27701 bridges information security and privacy compliance.
An organization with ISO 27001 + ISO 27701 certification has a unified
audit framework. The gate stack's access control gates + privacy gates satisfy
both standards from the same infrastructure. First-mover advantage: adoption is
growing but still low (~1,000 certifications). Early gate package captures the
growth market.

** Basel III (Bank for International Settlements — Basel Committee)

International banking regulatory framework (BIS Basel Committee). Sets minimum
capital requirements, liquidity coverage ratio (LCR), net stable funding ratio
(NSFR), leverage ratio, and counterparty credit risk requirements. National
implementation via local regulators (Federal Reserve, ECB, PRA, BOJ, etc.).

Who must comply: All internationally active banks. Systemically important
financial institutions (G-SIBs) face additional surcharges.

Penalties: Capital adequacy violations trigger regulatory intervention at
increasing severity — restrictions on dividends, mandatory capital raising,
management replacement, resolution.

Why it matters: Basel's risk-weight calculation is rule-heavy and
verification-friendly. The gate stack can encode credit risk weight mappings
and produce auditable proof that capital calculations follow the correct
methodology. First-mover advantage: Basel compliance is done via spreadsheets
and specialized risk platforms. No platform uses formal verification for
risk-weight mapping correctness. A $100K/yr Basel gate package for a G-SIB
is a trivial expense relative to the capital requirement penalty of getting the
mapping wrong.

** FATF (Financial Action Task Force) — AML/CFT Standards

International standard-setter for anti-money laundering and counter-terrorism
financing. 40 Recommendations covering: risk assessment, customer due diligence
(CDD), beneficial ownership transparency, suspicious transaction reporting,
targeted financial sanctions, proliferation financing. National implementation
varies by jurisdiction.

Who must comply: Financial institutions, DNFBPs (designated non-financial
businesses and professions), virtual asset service providers (VASPs). In
practice: every bank, money service business, crypto exchange, and high-value
dealer globally.

Penalties: National enforcement varies. Systemic failures lead to FATF grey-list
(monitoring) or black-list (counter-measures). Grey-listing increases transaction
costs — Iran and North Korea are black-listed.

Why it matters: FATF's CDD requirements are the most widespread and
rule-complex compliance obligation globally. The gate stack can encode
tiered CDD rules, prove that every customer onboarding followed the correct
verification path, and produce an auditable trail for every suspicion
determination. First-mover advantage: AML compliance is a $50B+ market
dominated by legacy vendors (LexisNexis, Thomson Reuters, FICO). None use
formal verification. The gate stack's proof log is a "deterministic audit
trail" that regulators would recognize as superior to the current paper-trail
approach.

** OECD Privacy Guidelines and AI Principles

OECD Privacy Guidelines (revised 2013): Eight principles — collection limitation,
data quality, purpose specification, use limitation, security safeguards,
openness, individual participation, accountability. Non-binding but foundational
— the basis for GDPR, APPI, LGPD, and most other privacy laws.

OECD AI Principles (adopted 2019, updated 2024): Five values-based principles
— inclusive growth and well-being, human-centered values and fairness,
transparency and explainability, robustness and safety, accountability.
Non-binding but influential — the AI Act, Canada's AIDA, and Japan's AI
guidelines all cite them.

Why it matters: The OECD frameworks are indirect revenue drivers. Regulatory
alignment with OECD principles is often a procurement requirement for
international organizations and development finance institutions. First-mover
advantage is about standard-setting: the gate package that maps to OECD
principles first becomes the reference implementation.

** World Bank Environmental and Social Framework (ESF)

The World Bank's framework for managing environmental and social risk in
investment projects. Ten standards: ESS1 (assessment), ESS2 (labor), ESS3
(resource efficiency), ESS4 (community health), ESS5 (land/resettlement),
ESS6 (biodiversity), ESS7 (indigenous peoples), ESS8 (cultural heritage),
ESS9 (financial intermediaries), ESS10 (stakeholder engagement).

Who must comply: Borrowers and project implementers across World Bank-financed
projects in 100+ countries. Also adopted by many multilateral development banks
(MDBs) as their standard.

Why it matters: ESF compliance is condition precedent to World Bank disbursement.
Delays in compliance verification delay project funding. The gate stack's
deterministic rule system can encode ESF standards as execution gates — "no
disbursement unless ESS5 resettlement plan is verified complete." First-mover
advantage: World Bank compliance is entirely document-based (reports, audits,
site visits). A verified gate system is unprecedented.

** IFC Performance Standards (PS)

International Finance Corporation's standards for environmental and social
sustainability in private sector investment. Eight standards: PS1 (risk
management), PS2 (labor), PS3 (resource efficiency), PS4 (community health),
PS5 (land/resettlement), PS6 (biodiversity), PS7 (indigenous peoples), PS8
(cultural heritage). Adopted by over 80 Equator Principles financial
institutions (project finance lenders).

Who must comply: IFC investees and clients; any project finance deal under
the Equator Principles.

Why it matters: The Equator Principles affect $100B+/yr in project finance.
Compliance verification is done by external consultants. The gate stack can
automate the evidence collection and provide verifiable proof that each PS
requirement has been met before financial close. First-mover advantage: no
vendor serves this market with automation — it is entirely consultant-delivered.

** IFRS (International Financial Reporting Standards)

International accounting standards (IFRS Foundation, 166 jurisdictions). IFRS 17
(insurance contracts, effective 2023) and IFRS 9 (financial instruments) are the
most rule-complex — requiring actuarial models, expected credit loss calculations,
and contract classification algorithms.

Who must comply: Publicly listed companies in 166 jurisdictions including the
EU, UK, Japan, Australia, Canada (2024), Brazil, India, South Korea, and most
of Asia and Africa. The US (GAAP) is the major holdout.

Why it matters: IFRS 17 and IFRS 9 are algorithmically complex rule sets.
Getting an actuarial model or credit loss calculation wrong is a financial
reporting error. The gate stack's ACL2 prover can verify that the calculation
implementations match the standard's mathematical requirements. First-mover
advantage: IFRS 17 was the largest accounting change in a decade. Implementation
was a crisis for insurers. The next wave (IFRS 18, sustainability disclosures
via ISSB) is coming. A verified IFRS gate package is a unique value proposition.

** UN/CEFACT (UN Centre for Trade Facilitation and Electronic Business)

UN standards for electronic data interchange (EDI), trade facilitation, and
cross-border data exchange. Key standards: UN/EDIFACT (trade data), Core
Component Library (CCL), Multi-Modal Transport Reference Data Model. Basis
for WTO Trade Facilitation Agreement compliance.

Who must comply: Customs authorities, logistics providers, trade finance banks,
exporters/importers in 170+ WTO member countries.

Why it matters: Cross-border trade data exchange is rule-intensive (tariff
classification, rules of origin, customs valuation, sanitary/phytosanitary
requirements). The gate stack can encode trade compliance rules and prove that
every cross-border data exchange satisfies the applicable regulation. First-mover
advantage: trade compliance is a $15B market dominated by legacy SAP/Oracle
modules and customs brokerages. None use verification.

* First-Mover Window Analysis

The first-mover window is the time in which a new compliance tool can establish
dominance before incumbents respond or the market settles on a standard approach.

| Window | Frameworks | Rationale |
|--------|-----------|-----------|
| **Critical (<12 months)** | EU AI Act (Aug 2026 effective), NIS2 (Oct 2025 deadline), DORA (Jan 2025 — already in effect) | Regulation is active or imminent. Buyers are desperate. No established vendor. |
| **Wide (12-36 months)** | DPDP Act 2023 (rules drafting), India privacy; Privacy Act Review (Australia); Quebec Law 25; CRA phased enforcement | Regulation not yet fully enforced. Rules being written. Market forming. |
| **Mature (commodity)** | GDPR (2018), SOX (2002), HIPAA (1996), GLBA (1999), Basel III (2010), FATF 40 Recs | Market has established vendors. First-mover advantage requires displacing incumbents via superior architecture. |
| **Latent (undiscovered)** | OECD AI Principles, UN/CEFACT, World Bank ESF, IFC PS | Compliance exists but is document-based or consultant-delivered. No software market has formed. The first gate package creates the category. |

* Expanded Revenue Table

| Framework | Region | Gate price/yr | Addressable orgs | Revenue potential | First-mover window | Gate rule type |
|-----------|--------|--------------|------------------|-------------------|---------------------|----------------|
| HIPAA | US | $50K | 500K+ | $25B | Mature (incumbent disruption) | Privacy + access control |
| SOC 2 | US/Global | $50K | 100K+ | $5B | Mature (incumbent disruption) | Access control + audit |
| GDPR | EU | $50K | 500K+ | $25B | Mature (incumbent disruption) | Privacy + consent |
| FedRAMP | US | $100K | 1K (providers) | $100M | Moderate (<300 authorized) | Continuous monitoring |
| SOX | US | $50K | 10K | $500M | Mature (manual audit disruption) | Financial controls |
| GLBA | US | $40K | 20K | $800M | Moderate | Financial privacy |
| NY DFS 500 | US (NY) | $30K | 3K | $90M | Wide | Cybersecurity controls |
| CCPA/CPRA | US (CA) | $40K | 50K+ | $2B | Moderate | Privacy opt-out flows |
| NIS2 | EU | $50K | 160K | $8B | Critical (2025) | Cybersecurity + supply chain |
| EU AI Act | EU | $75K | 100K+ | $7.5B | Critical (Aug 2026) | AI risk management |
| DORA | EU | $50K | 22K+ | $1.1B | Critical (in effect) | ICT resilience |
| eIDAS 2.0 | EU | $30K | 10K+ | $300M | Wide (wallet buildout) | Identity gates |
| CRA | EU | $40K | 50K+ | $2B | Wide (phased 2025-2027) | Product security |
| UK GDPR | UK | $40K | 100K+ | $4B | Mature (GDPR derivative) | Privacy |
| APPI | Japan | $40K | 100K+ | $4B | Moderate | Cross-border privacy |
| ISMAP | Japan | $75K | 500 (providers) | $37.5M | Wide (<100 registered) | Gov cloud assessment |
| PIPA | South Korea | $35K | 50K+ | $1.75B | Wide (2024 amendments settling) | Privacy + consent |
| Privacy Act | Australia | $35K | 50K+ | $1.75B | Wide (reforms legislating) | Privacy + AI transparency |
| APRA CPS 234 | Australia | $40K | 500 | $20M | Moderate | Info security controls |
| IRAP | Australia | $75K | 300 (providers) | $22.5M | Wide | Gov cloud assessment |
| DPDP Act | India | $30K | 500K+ | $15B | Wide (rules drafting) | Privacy + consent |
| LGPD | Brazil | $30K | 200K+ | $6B | Moderate | Privacy |
| LFPDPPP | Mexico | $25K | 50K+ | $1.25B | Wide | Privacy |
| ISO 27001 | Global | $40K | 60K+ | $2.4B | Mature (manual disruption) | ISMS controls |
| ISO 27701 | Global | $35K | 1K+ | $35M | Wide (growing) | Privacy management |
| Basel III | Global (banking) | $100K | 500 (G-SIBs) | $50M | Mature (incumbent disruption) | Capital adequacy |
| FATF AML/CFT | Global | $50K | 50K+ | $2.5B | Mature (incumbent disruption) | CDD + screening |
| IFRS 17 | Global (insurance) | $75K | 5K+ | $375M | Mature (actuarial verification) | Contract classification |
| UN/CEFACT | Global (trade) | $30K | 50K+ | $1.5B | Latent (no market exists) | Cross-border data rules |
| World Bank ESF | Global (dev finance) | $50K | 1K+ (projects) | $50M | Latent (no market exists) | ES compliance gates |
| IFC PS | Global (project finance) | $50K | 500+ (deals) | $25M | Latent (no market exists) | ES compliance gates |

A compute marketplace provider with authorization in 5+ frameworks (FedRAMP + 
ISMAP + IRAP + SOC 2 + ISO 27001) becomes the default infrastructure provider
for regulated cloud globally. The gate package portfolio alone — a mid-size
enterprise running 10+ packages — generates $500K/yr+ in recurring revenue.
At 10,000 such enterprises: $5B/yr. The first-mover advantage is not about any
single framework — it is about being the first to offer a unified gate stack
that maps to all of them.